In a series of 3 articles, Nick Denning, CEO, Diegesis, looks at the risks faced by company boards, with a particular focus on those confronting CIOs and CTOs relating to enterprise IT systems. This first article outlines how to analyse and categorise risks. Subsequent articles will highlight practical steps to handle risk and offer a template to help plan for change.
It is rare for organisations to be exactly where they want to be in their mix of enterprise IT solutions to support business processes. Existing systems that have proven their worth over the years are often costly to replace. However, technologies evolve and constant innovation creates killer applications that enterprises should not ignore.
The reality of the situation is much clearer if the business can build a full understanding of the risks faced by replacing existing solutions and implementing new ones. With that knowledge, relevant strategies, action plans and partnerships can be developed to drive the right changes at the right time.
Risk versus opportunity
So… what is risk? We can articulate risk simply by thinking in terms of – if event X occurs then the impact might be Y. We then consider the probability of each event occurring and the size or significance of the impact of the event. It is then possible to project any likely impact on profitability and reputational damage.
Opportunity and risk are two sides of the same coin. An organisation that effectively manages its risks can also create opportunities. This might be to reduce the operational costs of IT systems, with the results flowing straight to the bottom line. Alternatively, to use IT more effectively through the early adoption of new features to deliver competitive advantage.
What’s the role of mitigation and contingency?
Having determined the probability of an event occurring and its impact, then mitigation and contingency measures can be considered. Contingency measures are taken to deal with an event that does occur. However, a contingency plan has limited value if it isn’t practised, proven to work and kept updated.
It might not be possible to influence the probability of some events, for example, weather-related events. Others can be influenced. Regular servicing of a machine or vehicle to prevent breakdowns is an example of mitigation. In IT terms, this means keeping enterprise systems up to date with all security patches applied.
Developing contingency plans makes it possible to assess the best balance between spending time and resources to:
- Minimise the probability of an event occurring
- Minimise the impact if it does happen
- Prepare and test plans to recover from the failure.
What are frequency and catastrophe risks?
We expect some things to happen and may even accept them and the associated impact as part of doing business. These are dealt with as they occur, an example is theft from retail outlets. Such risks are referred to as frequency risks and may be accepted as shrinkage costs.
Other risks happen very infrequently but can have a high impact. These are potentially the most dangerous risks. If a fire destroys a building and everything it contains this is high impact and called a castrophe risk. An equivalent IT-related risk could be a ransomware attack with cyber-criminals demanding a sizeable ransom payment.
Is there a role for insurance?
Organisations may take out insurance to protect against losses. To calculate the insurance premium to quote, the underwriters will consider a combination of:
- An organisation’s claims history
- Expected losses across the market
- The current financial return on investment and the extent to which they are seeking premium revenue or advisory fees.
Therefore, some organisations ask what is the point of employing people to manage the risk, reduce the frequency and the potential impact – if the insurance company will pay anyway?
There is a series of good reasons to practise effective risk management. There are many things that an organisation cannot insure against or prove too expensive to insure. These include loss of reputation, loss of profits or the risk of going out of business. A catastrophic failure of enterprise IT systems could cause any or all three of these eventualities.
Just relying on insurance is simplistic. Claims for insured losses are generally only a fraction of the actual loss. For example, if a core system is out of action, insurance might pay for the eventual replacement but not:
- The cost of employees who are idle while a fix is sourced and implemented
- The uplift in overtime while people work extra hours to catch up with their work
- Missed opportunity costs which the team might have worked on if they were not resolving the issue
- The cost of lost business, both losing customers while orders cannot be taken and the cost of acquiring replacement customers.
Most importantly, some risks are “black flag” risks and if they occur there is a high probability that the company will go out of business. Through effective risk management, an organisation can reduce the level of potential losses and see a reduction in its future insurance premiums.
The difference between operational and project risks
It is also worth reflecting on the difference between operational and project risk. Operational risk covers the inherent risks that may impact the organisation when carrying out its normal day-to-day business. Frequency risks typically fall into the category of operational risk, covering the things that go wrong on a day-to-day basis. These risks are often the types that can be insured against.
If an organisation is implementing change, then it is probably running a project. The organisation may not have project or change management skills in-house. The principles of managing operational risk or project risk are very similar. The biggest challenge is often managing the people who are stakeholders in the related activities. Insuring against project overruns is a less common strategy.
Assessing against risk categories
There are standard risk categories that are used to analyse an organisation’s risk profile. These provide checklists of what to consider and offer a starting point to identify any unique risks.
Here are some examples of the different categories of risks:
- The threat of others seeking to harm an organisation
- Site/Environment Integrity
- Process and System Integrity
- Projects and Change Management
- Supplier Risk
- Business Continuity/Disaster Recovery.
A range of organisations provide risk templates that can be used to support such risk analysis.
Managing risks and identifying opportunities is an integral part of doing business. Identifying and categorising the types of risk faced is an important component of senior management job roles. Luckily the risk management discipline provides common ways to categorise and mitigate risks that can also be applied to core enterprise IT systems.
The next article will highlight practical steps to handle the different types of risks faced.
Nick Denning is CEO of Diegesis Limited, a business technology and IT systems integration company. Nick is an acknowledged expert on risk management and relational database technologies. Visit www.diegesis.co.uk
Diegesis is a business technology and IT systems integration company that specialises in delivering outcomes using RDBMS, integration and data analytics technology. The company has a proven track record delivering successful projects that provide tangible business value to large and mid-size organisations through the effective combination of people, process and technology. Diegesis specialises in helping organisations to release the hidden knowledge and wisdom from within their entire range of diverse sources of information (documents, emails, core business systems and applications, databases, intranet, internet and presentations) to support swift and effective decision-making. For more information, visit www.diegesis.co.uk